ID. Date of interview 
date 42/92/20 


ID. Time interview started 
start 44:49:37 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
14:38:02 


ID. Duration of interview 
time 168.42 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

O) No 

© Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


In general, yes, the draft guidance does cover the relevant issues about the right of access. The draft 
guidance is welcomed and it will prove to be a useful practical tool for those handling data subject access 
requests (DSARS). It provides much needed clarification of certain points e.g. examples of factors that 
may, in some circumstances, add to the complexity of a request. The draft also usefully reinforces the 
need for adequate information management systems and effective records management policies. 

Whilst the guidance does provide useful detail, there are several issues facing organisations which 
should be considered for inclusion:- 1. Requests from third parties The financial sector has encountered 
increased volumes of DSARS from claims management companies, accompanied with authority to act 
from the data subject. Whilst the guidance touches upon these types of requests in the section on bulk 
requests (consider each individually), we wish to make the ICO aware of the following issues:- We are 
keen to ensure that the data subject truly understands the nature of the authority provided and the extent 
of the information that would be disclosed. The guidance touches on this by stating that “if you think an 
individual may not understand what information would be disclosed, and in particular, you are concerned 
about disclosing excessive information, you should contact the individual first to make them aware of your 
concerns”. Whilst this aspect is touched upon, the guidance could be expanded to address concerns, in 
particular, where the third party has specifically stated not to contact the data subject. These requests 
are often marked as DSARS and use standard letter templates. Having sought clarity of the scope of 
these directly with these third parties, a number of these have been established as standard “business as 
usual requests” for information rather than DSARS. If clarity had not been sought directly, excessive 
personal information would have been released. A number of these requests have been clearly issued by 
these third parties to a range of organisations to determine if personal information is held, with little or no 
detail in the initial request. 2. Seeking clarity on time limit The draft guidance states that you may ask 


an individital ta enarifv tha infarmatian ar nraraccinna activitiae tha raniiact ralatac tn hafara racnnandinn ta 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


In general, yes, the guidance does contain the right level of detail. There is a good combination of 
guidance, practical examples and signposting (to relevant provisions/further reading). That said, in 
some areas, greater detail would be welcomed for the following areas:- 1. Complex Requests There is a 
good level of detail here but the ICO may want to consider if needing to seek legal advice may be a 
relevant factor that may, in some circumstances, add to the justification for classifying a request as 
complex. 2. Charging a fee The guidance does provide some detail on charging a fee but it would be 
helpful for a worked example here to provide some additional clarity. 3. Efforts to find information The 
guidance states that there is a high expectation to provide information in response to a DSAR and you 
should make extensive efforts to find and retrieve the requested information. It would be useful to have 
more detail in this section in terms of reasonableness and proportionality. In a scenario where a DSAR 
has been received from an employee or former employee, retrieval of emails may produce a large volume 
of “business as usual” emails, in addition to information relating to the requestor. When the employment 
period goes back a number of years, a request with large scope can be impracticable to administer due 
to the volume of such emails, often numbering thousands and requiring detailed analysis. 4. Manifestly 
unfounded or excessive requests As currently drafted, the guidance focuses on when the request might 
not be considered excessive. It is noted that Q4 of this consultation is seeking some examples to be 
included and this is welcomed. 5. Requests for information about children or young people The 
guidance states that in Scotland, a person aged 12 years or older is presumed of sufficient age to 
exercise their right of access but whilst this does not apply in England, Wales and Northern Ireland, this 
would be a reasonable starting point. We would welcome more clarity on this. It is not clear what a 
realistic expected appropriate approach would be to assessing the maturity of a child in England, Wales 
and Northern Ireland. For “borderline cases” should additional detail be obtained to inform the 
assessment or should we only consider the information known to us (which may be limited and 
inconclusive)? What does the guidance mean by “in Scotland” in this instance? 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


In general, yes, the guidance does contain a reasonable number of examples; however, further examples 
would be welcomed in the following scenarios: 1. Third party requests The example provided relates to 
an individual acting as a third party. The reality is that third party requests from companies constitute the 
majority of DSARS received and it would be useful to have an example of this, in particular taking 
account of the issues mentioned in our response to question 1. 2. DSARS from employees/former 
employees The draft guidance does contain some such examples and these are welcomed. It would be 
helpful for some further examples in terms of the applications of exemptions, for example, where there 
are on-going negotiations between employee and employer in the context of a settlement agreement. 
Also, useful examples would be in the context of emails/documents containing commercially sensitive 
data and advice provided by HR professionals to managers. 3. Charging a fee The guidance does 
provide some detail on charging a fee but it would be helpful for a worked example here to provide some 
additional clarity. 4. Manifestly unfounded or excessive It is noted that this guidance is seeking 
examples which we hope will then be reflected in the final version of the guidance note. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


The examples provided in the draft for manifestly unfounded requests are useful. 
In terms of excessive requests, we receive requests that have the same or a 
substantially similar scope, received from different third parties, acting on behalf of 
the same individual, when a reasonable period has not elapsed. It would be useful 
to have a practical example in the guidance. There are also circumstances where a 
request may be made, with a specific scope. Once issued, having considered the 
information provided, another request may be made, with a different scope. In this 
circumstance, the request does not repeat the substance of the previous request and 
does not overlap, but falls in quick succession to the previous request. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


Moderately 4 — Very 
useful useful 


© ©) 


1-Notatall 2 — Slightly 5 — Extremely 
useful useful 


useful 


Q6 Why have you given this score? 

The guidance is a useful, practical tool for handling DSARS and will be useful to a 

very broad audience, rather than being sector specific. The guidance clearly calls 

out that each request must be dealt with on a case-by-case basis, looking at the 

circumstances of each case. 

Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 

Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance in some places is not clear whether additional information should be 
sought or we should only act on the information we have, see point 5 in response to 
Q2. Another example being, as a non-health professional we are restricted from 
disclosing health data in response to a DSAR unless we have obtained an opinion 
from the appropriate health professional that the serious harm test is not met - is 
there an obligation to seek such an opinion in response to a DSAR? For example, we 
may have medical information in relation to an individual who has lost mental 
capacity where a lasting power of attorney has come into effect, where we can’t be 
satisfied that the health data has already been seen, or is known by, the individual. 
Further clarity on the practical operation of this restriction (for non-health 
professionals) would be useful. Finally, it would be useful if the finalised guidance 
was supported by blogs, webinars etc. to ensure a clear understanding of the key 


points raised by the guidance. The guidance is welcomed and will prove valuable to 
data protection professionals. 


Are you answering as: 

C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 

Prefer not to say 


What sector are you from: 


Financial 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


